Odd, I have seen this only two times since Aug 31st on any of our servers, both on Oct 13th. At 10:06:27 AM for 11 secs, a GTE net DSL host 66.13.116.* probed 36 different sites for this file. And again at 15:34:42 for 9 secs, a host registered as 'www.*.com' in 209.98.111.* also probed the same 36 sites. I checked all sensors to see if these hosts had sent any other packets into our network or were sent anything, and just got those HTTP connections for "/sumthin" Scott cory wrote: > I have seen this on our servers, starting Oct 12 with 213.165.144.xxx > (only one ip) and then again on the 15th from 194.236.60.xxx (also one > ip) . > > jmaywood1975at_private wrote: > > >Does anyone have any ideas what attack this might be? > > > >Below shows 4 seperate potential attacks by 3 different hosts, this is all the activity in my logs for those three hosts, nothing more anywhere related to those three ip address. > > > >It starts with a request for the directory /sumthin > >maybe tries a header exploit by sending a VERSION method? > >and connects ssl. Scott C. Kennedy Lead Security Architect/ Director of Security Infosys Corporation Work: (877) 772-2347 PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 17:08:29 PDT